[00:00.000 --> 00:06.560]  Hi, everyone. Welcome to the biohacking village at DEF CON. This is our sixth year. I am Nina
[00:06.560 --> 00:11.600]  Ali. I am the executive director. This is my fifth year of running the village. Thank
[00:11.600 --> 00:18.600]  you for coming. I want to let you know that this year has been quite an adventure. It's
[00:18.600 --> 00:25.240]  been very similar to one of those choose your adventure books where it's just so many options
[00:25.240 --> 00:30.660]  and you're working through everything trying to make it all work. I decided last year that
[00:30.660 --> 00:35.880]  I was going to do the keynote, but I knew that I didn't want to do it myself. So what I have
[00:35.880 --> 00:44.540]  done is accumulated folks that I know, folks that I trust, and people that have very strong
[00:44.540 --> 00:51.340]  expertise in their field. And I talked to them. And I want you to know that I did not prep them
[00:51.340 --> 00:55.660]  for these interviews. I did not give them questions beforehand. Everything you see is
[00:55.660 --> 01:03.860]  raw emotion, raw gut reactions. And I think the information is really important, especially right
[01:03.860 --> 01:11.420]  now and for the future of where we are going to go with healthcare and how we can secure it and
[01:11.420 --> 01:21.120]  make patient safety a priority. Thanks for watching. Hey, how are you? I'm getting you.
[01:21.200 --> 01:28.680]  I'm okay. So I brought you here because I want the biohacking community to see the people that
[01:28.680 --> 01:34.320]  I talk to, see who I engage with, see where my brain thoughts lie and who I talk to at three
[01:34.320 --> 01:44.160]  in the morning, Eastern Time, when my brain isn't stopping. So quick origin story on you is...
[01:44.160 --> 01:49.120]  I met you three years ago. Jason Street gave us the introduction of Black Hat. And yes,
[01:49.120 --> 01:58.960]  I do remember everything. Good brain. And then my talk got accepted home to own my own pacemaker at
[01:58.960 --> 02:06.920]  Biohack Village. We kind of just fell into a friendship, I think. It was just instantaneous,
[02:06.920 --> 02:13.160]  like I knew my whole life. I remember, like with my first talk, we shared tequila. I really needed
[02:13.160 --> 02:23.040]  it. And now, three years later, we're still kicking ass, taking names and planning big things.
[02:23.040 --> 02:29.590]  We became instant friends. And we have continuous dialogues at 3 a.m. Eastern,
[02:31.080 --> 02:38.360]  depending on times here, between like 8 and 9 a.m. your time. What are you working on right now?
[02:39.360 --> 02:45.600]  Working on standardizing and defining shit. I'm slightly tired of us, you know,
[02:45.600 --> 02:51.060]  having this cookie-cutter approach to medical security and healthcare security. Because let's
[02:51.060 --> 02:55.480]  face it, you know, this is not a Windows 10 machine or the standard endpoint we're dealing
[02:55.480 --> 03:02.500]  with. Each one has a different way. So why are we making it harder on ourselves by not
[03:02.500 --> 03:07.900]  defining and standardizing? So that's my pet project, is just to get the shit right, define
[03:07.900 --> 03:13.480]  it out. And let's understand what we're dealing with. Let's listen to the devices. Let's not do
[03:13.480 --> 03:20.020]  all the talking. Let the data speak. What's your call to action to the community?
[03:20.560 --> 03:26.040]  I think the biggest thing I've realized is as a community, we can't work together, can't listen
[03:26.040 --> 03:32.760]  to diverse objective stories. So just because someone disagrees with you, doesn't mean they're
[03:32.760 --> 03:38.540]  wrong or you're wrong. I think the community as a whole, we should approach this not just about
[03:38.540 --> 03:43.140]  finding problems, we should be finding the solutions. So we should be the builders, the
[03:43.140 --> 03:50.460]  breakers and the pioneers going forward. But it takes a village, but intended, right? Yeah,
[03:50.460 --> 04:01.660]  I did it. I did a mom joke. We need to do better. Shameless plug. Hey, don't always
[04:02.500 --> 04:09.480]  see someone that's five foot nothing. I have an opinion, I have a voice. It's not refined,
[04:09.480 --> 04:14.840]  it's not pretty, right? I'm going to call it as I see it. But don't always take offense. It comes
[04:14.840 --> 04:21.740]  from a good place. And if you want someone to do log analysis, it is what I eat for breakfast,
[04:21.740 --> 04:28.440]  lunch and supper. I love logs. I love data. Because I believe we can't wait for something
[04:28.440 --> 04:33.860]  to happen and ask where's the data, where's the evidence? I want to build this shit in now.
[04:33.860 --> 04:38.900]  Because come 10 years, I can turn around and say, hey, you claim you hacked this device?
[04:39.020 --> 04:45.540]  Well, motherfucker, you did not. Who do you want to collaborate with? Everyone.
[04:46.060 --> 04:50.640]  But I see it as a trifecta, right? It's this triangle. Engineering is awesome. And I'm
[04:50.640 --> 04:56.240]  geeking out on it because recently I got exposed to an MDM and I got to see the engineering pipeline,
[04:57.100 --> 05:02.060]  which led me to build parsers in Python I never thought I'd do because I was convinced the
[05:02.060 --> 05:09.580]  internet would blow up if I designed something. And I realized that we have a regulatory body,
[05:09.580 --> 05:15.520]  we have an MDM and we have researchers. And that's what's going to make the future better,
[05:15.520 --> 05:22.040]  these three elements working together to strengthen healthcare and medical security.
[05:22.640 --> 05:29.820]  But we shouldn't be imposing things that break healthcare or medical devices further. Because
[05:29.820 --> 05:36.400]  people like me, this one sitting here, I need this device. And if we make it so hard
[05:36.400 --> 05:42.100]  that manufacturers stop doing it, you know, people like me won't have a second chance.
[05:42.600 --> 05:46.620]  So I think you know me well enough that I'm going to throw random things at you.
[05:46.880 --> 05:50.480]  I can see your brain going. I've been expecting it to bring it on.
[05:50.480 --> 05:52.120]  What's your controversial opinion?
[05:52.960 --> 05:59.320]  My controversial opinion is this, that imposing S-bombs into healthcare and expecting them to
[05:59.320 --> 06:05.620]  take on the manufacturer role is going to lead to it breaking. And the reason being is the
[06:05.620 --> 06:11.440]  manufacturer has the responsibility, the ownership to maintain their ship, build them better and keep
[06:11.440 --> 06:19.440]  them safe. But here's the thing, we're expecting hospitals to do this. COVID-19 came in worldwide,
[06:19.440 --> 06:25.080]  globally, swept it, broke it. And this is something they built to do. They're supposed to deal with
[06:25.820 --> 06:32.660]  viruses and pandemics. So if we make cyber security of medical devices their responsibility,
[06:33.240 --> 06:39.500]  we're expecting them to thrive in something they're not built to do and they're not ready to do.
[06:40.360 --> 06:45.180]  So yes, S-bomb for manufacturers, hell yes, bring it on, they should be doing this shit.
[06:45.180 --> 06:49.420]  It's manufacturing. This is not a hospital function.
[06:51.140 --> 07:00.060]  As a biohacker that works in technology, how do you want to better integrate with regulatory folks,
[07:00.060 --> 07:05.780]  with political entities, with hospitals, etc.?
[07:06.380 --> 07:11.260]  I just want to be given the opportunity to be heard and I want to listen. I want to listen
[07:11.260 --> 07:18.680]  what they need to have done, what help they need. This is not a me against them. This is saying,
[07:18.680 --> 07:25.500]  let's put our brains together. One collective brain is not enough. We need this diverse
[07:25.500 --> 07:32.300]  group. And this is why us talking is so awesome. Because I never knew that patient record was as
[07:32.300 --> 07:41.120]  important as it is until we had the discussion and we had an argument. We had that, we disagreed.
[07:41.120 --> 07:47.040]  But the fact is, you showed the data, you brought the data and you changed my mind.
[07:47.660 --> 07:53.400]  And the thing is, we shouldn't be scared to be wrong. We should be acknowledging that, hey,
[07:53.400 --> 07:58.840]  this is not going to work. Or hey, we made a mistake. Because it takes a stronger entity
[07:59.440 --> 08:07.900]  to do that than trying to hide it. And that counts for MDM, hackers, anyone. I have big
[08:07.900 --> 08:13.400]  enough balls to tell you if I was wrong. Because that's the person that I am. I own my shit.
[08:15.560 --> 08:19.020]  How do you want to leave this? What's your message after this?
[08:19.460 --> 08:24.380]  That together, we can change the world of healthcare and medical device security.
[08:24.400 --> 08:32.380]  Because we're dealing with a legacy of devices, an ocean full of them. 600,000 new implanted
[08:32.380 --> 08:40.080]  devices a year. They last 10 years at a minimum. Right? That is a legacy that I don't want to see
[08:40.080 --> 08:47.920]  increase yearly. The time for change is now. Not yesterday, not tomorrow. Now. Because otherwise,
[08:47.920 --> 08:52.880]  we face legacy that's going to come back and bite us in the ass. And patients like me
[08:52.880 --> 08:58.540]  won't have access to these devices. Because their first and foremost function
[08:59.200 --> 09:07.340]  is to keep us alive and give us clinical and healthcare-related support. They're not there
[09:07.340 --> 09:12.640]  to be secure. I mean, for fuck's sakes, if I have to tell the doctor, hold on, you need my username
[09:12.640 --> 09:22.080]  and password, or you need my cryptographic keys, I'll be dead. I saw that. It's in a split second.
[09:22.180 --> 09:27.900]  So let's get this shit right. Let's do it now before legacy comes back and bites us in the ass.
[09:28.100 --> 09:33.120]  What's your controversial opinion on recording as well, seeing as you're fucking throwing us all
[09:33.120 --> 09:36.980]  under the bus? What's your controversy? Well played.
[09:38.380 --> 09:44.200]  My controversial opinion. Electronic medical records are not looked at by anyone,
[09:44.200 --> 09:51.200]  and it's exhausting. You and I had this conversation. Everybody looks at medical
[09:51.200 --> 09:54.400]  devices because they're tangible. They're something you can hold on to and you can
[09:54.400 --> 10:02.360]  pick up off of eBay and, you know, find a thing. But electronic medical records are hoarded so
[10:02.360 --> 10:07.060]  intensely, and they're not in a lot of legislature. They're not really defined.
[10:07.060 --> 10:12.120]  They are not medical devices. And because they're not medical devices, we don't necessarily, we,
[10:12.120 --> 10:18.860]  the group, don't necessarily treat them well. But when you look at it, I can have a medical
[10:18.860 --> 10:23.540]  device that does one thing. It holds one source of information, right? Like your heart pacemaker
[10:23.540 --> 10:29.100]  holds your heart information, where the electronic medical record holds all of the information.
[10:29.100 --> 10:33.340]  So when you look for that wealth of data, and I'm going to find this one thing that's very
[10:33.340 --> 10:40.700]  specific, or I can find all of it. And that's what I've done. Again, I did it for so long that
[10:40.700 --> 10:45.260]  when people say, like, this is the most important thing, I'm like, yeah, but you're getting that
[10:45.260 --> 10:53.960]  information how? There's so many links into this one small piece, and just no regard to it.
[10:54.400 --> 10:59.340]  Yeah, but I think the problem is because we're not defining the ship, right? Because that is like
[10:59.340 --> 11:05.180]  the ultimate goldmine. It's not necessarily a device, but it's a container that holds
[11:06.220 --> 11:11.720]  everything, right? If those are the keys to the kingdom, it's the ultimate...
[11:11.720 --> 11:17.220]  Exactly. How does that even happen? You can have the one thing, you can have the pacemaker,
[11:17.220 --> 11:24.480]  but you need all of the other things to make an educated device. Educated to system. There's
[11:24.480 --> 11:29.720]  educated decision. There's decision support built into this thing that will say,
[11:30.640 --> 11:35.640]  you're going to give this person a defibrillator of some sort. Oh, BTW, did you know that this
[11:35.640 --> 11:43.600]  person, you can't give them this one because of whatever reason this is. It's a support system.
[11:43.600 --> 11:48.000]  It's a container. It does all the things. Now you've got me riled up. Thank you.
[11:49.200 --> 11:51.940]  It's a treasure trove. That's what it is.
[11:51.940 --> 11:56.800]  I've done talks about this. I can own your pacemaker and like, oh, I got a thing.
[11:57.480 --> 12:04.840]  It's worth how much? 50? 500? I can own a hospital because that's essentially what you're doing once
[12:04.840 --> 12:08.740]  you get the EMR. Because you get into the EMR, you get into everything else because it's all
[12:08.740 --> 12:17.380]  the APIs, because whatever is going on and it's just gone. And that is mind-blowing to me.
[12:17.540 --> 12:23.540]  But I mean, the purpose of cybercrime, right, is about money. So what can I sell and what can I
[12:23.540 --> 12:30.580]  keep on selling? And how can I get, you know, have persistence? Exactly. I mean, it's the product
[12:30.580 --> 12:34.400]  that, you know, forever paying because everyone's going to want to have that.
[12:35.060 --> 12:42.760]  Because now I'm upset about life. They're not even connected. So like New York does not connect
[12:42.760 --> 12:47.740]  to DC, which doesn't connect to Seattle, which doesn't connect to anything. So me as a human,
[12:47.740 --> 12:52.300]  I now have to regurgitate my whole life history of all the things that are right and wrong with me,
[12:52.300 --> 12:59.100]  because you don't know. I can make all of the things up. I can negate so much information.
[12:59.740 --> 13:05.980]  Did you know that 18% of healthcare workers indicated that for the right price,
[13:05.980 --> 13:10.800]  they would sell their data? Yeah. Insider threat, right? We just over,
[13:10.800 --> 13:18.880]  we overlook it. And there's a print mechanism on these things. You just boop. You're good.
[13:18.880 --> 13:23.420]  How do you feel about zero trust, Nina? Tell us how you really feel.
[13:29.860 --> 13:32.240]  We currently work on least privilege, right?
[13:34.120 --> 13:39.420]  Least privilege is still an indication of trust. It's trust, but verify in a way.
[13:40.100 --> 13:46.400]  Not in healthcare. We shouldn't have that. There's, this is, this is sanctified information.
[13:46.400 --> 13:51.340]  This is literally you in data form. And we're just like, here, it's fine. Go get it. We're cool.
[13:51.340 --> 13:55.180]  We trust you. You trust me because I work here, but you don't know who I am as a person.
[13:55.180 --> 14:01.100]  You know that I have a certain skill set. But zero trust needs to be better incorporated.
[14:01.620 --> 14:07.180]  It needs to be incorporated better in technology and industry generally, but healthcare needs it
[14:07.180 --> 14:13.600]  more because of the sensitivity and the specificity of the information. You, you roll somebody up
[14:14.660 --> 14:20.440]  on their labs and they're off by whatever number this is. You can overdose them.
[14:20.440 --> 14:25.960]  You cannot do a thing. You can treat them. You can give them the wrong blood. You,
[14:25.960 --> 14:31.080]  there's so many different options. You need to know that everything is, is in their place.
[14:31.100 --> 14:35.040]  You need to know that you can get into things and you can't get into things. And this is,
[14:35.040 --> 14:42.580]  this is why the hierarchy is as such. And we're not doing that. And medical is so,
[14:42.960 --> 14:48.000]  it's very flawed, but it's also one of the last technologies to go live with any sort of tech
[14:48.000 --> 14:53.480]  and any sort of security because we've had that cloak of, you know, we're cool. We're good because
[14:53.480 --> 14:58.940]  we are the doctors and we know the things. And if I tell you that this is wrong and this is the
[14:58.940 --> 15:02.360]  medication you need, you're going to trust me because you don't have that information.
[15:02.480 --> 15:07.240]  And you're going to trust me because I'm giving you that information. It's the same thing. And
[15:07.240 --> 15:13.300]  we did that Hippocratic, I Am The Calvary did that Hippocratic Oath of medical device manufacturers
[15:13.920 --> 15:19.420]  should have taken that Hippocratic Oath. If you read down the article, I go further. I said,
[15:19.420 --> 15:23.860]  the hospitals need to also take that Hippocratic Oath because that is your information. That is
[15:23.860 --> 15:30.520]  them holding you in digital format. What is the difference? There is none. There is absolutely
[15:30.520 --> 15:38.140]  none. You're sly. You knew this was going to happen. I didn't think this was going to,
[15:38.140 --> 15:44.220]  I thought this was going to be like, oh my God, I should, I should turn this, you asshole. I
[15:44.220 --> 15:49.600]  should be like, this is everybody grilling me about shit. It's us having a conversation and
[15:49.600 --> 15:56.820]  this is how this goes. But I like the fact that, you know, we verify but never trust.
[15:57.440 --> 16:03.220]  I like that about zero trust. Because for long we've done trust but verify. But I mean,
[16:03.220 --> 16:07.780]  do you think, I'm going to throw this out, that an APT is above attaching a medical
[16:07.780 --> 16:13.320]  device or implanting it into a COVID operative and sending them into a hospital? Absolutely not.
[16:13.320 --> 16:19.040]  Absolutely not. So yeah, we shouldn't be trusting bring your own medical device.
[16:19.040 --> 16:23.400]  It should not be a thing. I always love our chats. I just want to say that.
[16:24.260 --> 16:31.240]  So Yusef Enriquez, two sentences about you. What's your origin story? Okay, origin story,
[16:31.240 --> 16:37.160]  prior FDA, worked in medical devices and medical countermeasure for the FDA.
[16:37.160 --> 16:43.020]  And currently working with Chemical Bio Threat Reduction Agency.
[16:43.520 --> 16:49.100]  Okay, so all those things that you just said, what's the most interesting thing that you're
[16:49.100 --> 16:54.440]  working on right now? Most interesting I'm working on is using quantum dots to test for COVID
[16:54.440 --> 17:02.680]  antibodies. Just started working with the Aberdeen folks at the ChemBio center up there in Aberdeen.
[17:03.360 --> 17:09.960]  Hopefully we could start using quantum dots to test for other infectious disease and maybe
[17:10.980 --> 17:18.400]  explosives. Okay, if you were going to rip the guts out of healthcare, what would that entail?
[17:19.320 --> 17:23.300]  The data set? Expand.
[17:24.320 --> 17:30.320]  I think over the last 50 years, it's been 95% European white males. So I don't understand
[17:30.320 --> 17:35.700]  the term precision medicine, given the fact that we've been doing race-based therapy for the last
[17:35.700 --> 17:42.000]  60 years. Okay, how are you going to do that? How are you going to rip this up? How are you going
[17:42.000 --> 17:47.240]  to change the paradigm? Well, I thought about calling Dr. Collins at NIH and tell him to stop
[17:47.240 --> 17:53.620]  funding all white male scientists, but that might be a little bit above his pay grade. But I truly
[17:53.620 --> 17:58.020]  believe that we're going to have to start building data sets from the ground up, scratch what's
[17:58.020 --> 18:04.420]  already there, because I think it's complete bullshit. So is your call to action that
[18:05.660 --> 18:12.100]  all white male clinical studies be ended and then bring other folks in? Because traditionally,
[18:12.100 --> 18:18.260]  there's been historic issues with people of color not being particularly keen on signing the paper
[18:18.260 --> 18:27.700]  of a clinical trial. So what is the best way to get those folks involved? Well, the first thing
[18:27.700 --> 18:32.340]  is take the bias out of the folks that's reviewing the clinical trial R01s. Okay,
[18:32.340 --> 18:34.960]  so how are you going to take the bias out? Because that's ingrained, no?
[18:35.420 --> 18:41.720]  Yeah, Dr. Collins is going to have to do a better job of hiring more African Americans,
[18:41.720 --> 18:48.840]  minorities, and women at the NIH, because it starts there. I mean, the socioeconomic bias
[18:48.840 --> 18:53.820]  that's already implanted, once they look at the application, anything that refers to lack
[18:53.820 --> 19:01.640]  diversity or diversity gets thrown in the trash. Is that going to solve the problem in its entirety?
[19:02.800 --> 19:08.180]  That'll begin some of the solving the problem. And then I think, you know, what you'll start
[19:08.180 --> 19:14.160]  to see is that trust will come back. Minorities will trust other minorities to do study. I raised
[19:15.360 --> 19:20.460]  clinical trial enrollment at the Bronx VA just because I was African American. I was able to
[19:20.460 --> 19:26.360]  increase trials because they saw one African American guy in the entire psychiatry department
[19:26.360 --> 19:31.860]  at the Bronx VA their entire time. They had veterans there that had been going to that VA
[19:31.860 --> 19:37.220]  for 30 years that they've never seen an African American or minority scientist
[19:38.120 --> 19:41.900]  asking them for their blood or asking them to do a sign up for a trial.
[19:43.960 --> 19:51.660]  So, from conversations with you, you have a lot of opinions about the EUAs. So, what's an EUA?
[19:52.220 --> 19:58.660]  What's your controversial opinion? I think I'm getting a little concerned. I think we're over
[19:58.660 --> 20:03.360]  about 25. I feel like from our conversations, you're a little more than a little concerned. Yeah,
[20:04.480 --> 20:10.040]  let's ratchet it up a little bit. I think we're in the red as far as these EUAs being
[20:10.040 --> 20:17.820]  approved because the confidence interval that's required is 95%. We now have EUAs,
[20:17.820 --> 20:22.520]  which is emergency use authorization for COVID testing, as low as 65%.
[20:23.680 --> 20:29.680]  So, I mean, you don't have to be a mathematician to see. That's a D on your report card.
[20:29.880 --> 20:34.640]  It's not even at a C level yet. And so, these are tests that's being administered.
[20:34.640 --> 20:38.480]  And given the report, thinking that individuals are not,
[20:38.480 --> 20:43.680]  doesn't have COVID when there's almost a 40% chance that they do.
[20:44.700 --> 20:48.960]  So, what's the workaround for it? So, they get their 65. They get their D. Do they get extra
[20:48.960 --> 20:55.000]  credit? Do they? Is it? What's the workflow? I mean, honestly, I think they all should be
[20:55.000 --> 20:58.580]  taken off if they're not above 80%. I think we're about three months...
[20:58.580 --> 21:01.460]  Then who does that leave? We're in a crisis right now.
[21:01.460 --> 21:08.380]  Again, that's where I think America has kind of took their eye off the ball the last century or
[21:08.380 --> 21:14.720]  so. We outsourced everything to China. That's the reason why we have slowness in testing now. We
[21:14.720 --> 21:20.980]  don't have enough swabs. We can't manufacture a stick with a piece of cotton on it. And so,
[21:20.980 --> 21:26.600]  now what we've done is we've rushed out and have all these device companies make these EUAs that
[21:26.600 --> 21:35.860]  are charging $100. You take almost three to four days to get a result back. And oops, it might be
[21:35.860 --> 21:42.300]  65% accurate. So, you're fucked either way. So, what's your shameless plug?
[21:43.380 --> 21:48.320]  I mean, again, I think understandably there's only three that's met the 95%. I think they
[21:48.320 --> 21:53.560]  should go ahead and ramp up. The rest should be scratched unless they have significant data.
[21:53.560 --> 22:00.240]  How are they going to ramp up? The production line is not here. The supply chain is not here.
[22:00.260 --> 22:01.920]  Get out. We're America.
[22:01.920 --> 22:05.340]  That's not a viable answer when the whole world is in crisis.
[22:05.380 --> 22:09.900]  Well, we're not responsible for the whole world. We're responsible for America.
[22:10.400 --> 22:15.960]  And therefore, I think, you know, what has happened is America is focused on bullshit.
[22:16.420 --> 22:22.780]  And, you know, now we can't even supply our own medical supplies. We can't supply our own API for
[22:22.780 --> 22:29.080]  pharmaceutical because we've outsourced 93% in China and the drug manufacturing is in India.
[22:29.260 --> 22:33.220]  So, somebody's going to have to take a hit on the chin for it. But it needs to start being
[22:33.220 --> 22:36.300]  American-made products. So, if it's American-made products,
[22:36.300 --> 22:40.280]  this also indicates that there's other things in the supply chain in that just workload
[22:40.280 --> 22:45.520]  in its entirety that need to be changed. If we have sent so many things off to China,
[22:45.520 --> 22:50.720]  they have different environmental protection laws, which means we would have to change them here.
[22:50.720 --> 22:56.720]  So, this whole system needs to be recalibrated. How long does that take? What's the effort?
[22:56.720 --> 23:01.080]  What's the funding? Who needs to get involved? I don't think it needs to be calibrated. I think
[23:01.080 --> 23:06.800]  it needs to be detonated. It needs to be start from scratch because it's just not it.
[23:06.800 --> 23:11.220]  So, that's right. We have the problem. So, you're bringing this up. So, what's the solution?
[23:11.740 --> 23:14.780]  Solution is, I mean, again, we got to get back to manufacturing.
[23:15.340 --> 23:22.120]  That's the solution. I mean, we've spent more money on Pokemon Go's and other bullshit and
[23:22.120 --> 23:26.740]  we've not been able to shore up our supply chain. Right now, if we shut the borders down,
[23:26.740 --> 23:33.660]  we are dead. We don't produce enough insulin. We don't produce anything that is of necessity to us.
[23:33.660 --> 23:39.540]  However, we've spent so much money on other shit. I just don't see how we can sustain. We are not
[23:39.540 --> 23:42.800]  able to sustain ourselves right now if we closed all our borders.
[23:43.220 --> 23:50.440]  So, Lilly makes insulin in Puerto Rico and that pushes over here. But we're still not addressing
[23:50.440 --> 23:56.940]  what I just said. So, you can detonate. That's fine. But you are still not creating a chain of
[23:57.980 --> 24:02.720]  you've destroyed this. What now? I mean, again, we have to...
[24:02.720 --> 24:08.560]  How do we rebuild that trust? How do we rebuild the facilities and get the stuff to make this
[24:08.560 --> 24:15.100]  cotton swab? How do we get from a four-day waiting period to a four-hour, a 24-hour turnaround?
[24:15.160 --> 24:19.000]  Yeah, we got to shift the money. I mean, the money is being shifted to big corporations.
[24:19.000 --> 24:23.080]  We have to shift the mindset though first, right? I don't necessarily think the money is the...
[24:23.080 --> 24:26.320]  money is always the problem. Cash flows everything around me, correct. But
[24:28.020 --> 24:33.500]  you have to change the mindset of those manufacturers, of the people that are in that
[24:33.500 --> 24:37.400]  chain to make the difference before the funding is even considered.
[24:38.460 --> 24:43.120]  Yeah, but again, going back to the individuals that's running those companies.
[24:43.120 --> 24:49.900]  They're not diverse. There's no inclusion. And so, they get to make these decisions that are not
[24:49.900 --> 24:55.220]  relevant to the diverse population that they say their medical devices to serve.
[24:55.240 --> 24:58.220]  No, we're talking about COVID. We're still talking about the manufacturing.
[24:58.400 --> 25:01.420]  Yeah, that's what we're talking about. The manufacturing, I mean, again,
[25:01.420 --> 25:05.440]  name an African-American that runs a large pharmaceutical company.
[25:05.820 --> 25:09.580]  I'm not well-versed in the pharmaceutical companies, to be honest. I'm better with the device.
[25:09.580 --> 25:13.800]  Name an African-American that owns a medical device company, a large.
[25:13.900 --> 25:15.740]  Valid. No, completely valid.
[25:15.740 --> 25:19.740]  Again, when you talk about the mindset, you have individuals that's running
[25:19.740 --> 25:25.500]  this particular industry that pretty much only have their interest in their group,
[25:25.500 --> 25:30.260]  right? And so, that's where you see with the pharma. Nobody thought that it was alarming
[25:30.260 --> 25:34.520]  that it's 95% European white males. I think everybody did.
[25:34.980 --> 25:38.540]  I don't know, but the ones that do go... Oh, no, absolutely. Yes, not everybody.
[25:38.540 --> 25:40.140]  Not everybody. Not everybody.
[25:40.140 --> 25:43.680]  People that weren't involved and were like, why can't I have that med? I saw it on TV.
[25:43.780 --> 25:49.420]  There you go. So, what's your shameless plug for you? What's your shameless plug?
[25:49.580 --> 25:55.300]  I mean, again, like I said, I think for me is it needs to be understood that this is a systemic
[25:55.300 --> 26:04.180]  racial issue from the beginning. I don't know how to Band-Aid fix it. So, the plug would be to
[26:04.180 --> 26:12.020]  re-engineer the way science is being done, how the scientists are being hired at the agency,
[26:12.020 --> 26:18.200]  because until you have diversity and inclusion, you're going to end up with another 50 years of
[26:18.200 --> 26:24.580]  white, 95% European males in the drug trials trying to treat,
[26:24.580 --> 26:30.820]  which is not going to be the majority anymore in the next 10 years. So, what are we doing?
[26:30.940 --> 26:35.400]  Your shameless plug is about you, not fixing the system.
[26:35.880 --> 26:41.400]  Oh, my shameless plug. I mean, I don't have a shameless plug. I just want to do good science
[26:41.400 --> 26:48.980]  and individuals that, you know, I think what my big concern is, there's a lot of innovation going
[26:48.980 --> 26:56.440]  on that's not being acknowledged because of who's behind it. And I think what I've seen over my
[26:56.440 --> 27:02.380]  career is that we need to change that. Because again, I think all you're seeing is these Me Too
[27:02.380 --> 27:07.980]  products. There's no innovation being done at large companies. Money has been spent on R&D
[27:07.980 --> 27:12.800]  for absolutely nothing at all, because I haven't seen any value add to a lot of these
[27:12.800 --> 27:20.080]  products, given the fact that it's being done in a bubble by white males and white institutions.
[27:20.680 --> 27:29.000]  Okay, thank you. We met in Abu Dhabi on a plane and had extensive conversations about medicine,
[27:29.000 --> 27:34.860]  because happenchance, you are a physician. What's your origin story?
[27:35.920 --> 27:44.120]  So the work on what eventually became telehealth really began with a Facebook page. I, back in
[27:44.120 --> 27:52.320]  like 2008, thought that the residents could benefit from having a professional Facebook page,
[27:52.320 --> 27:55.960]  and that, you know, it's a good way to share information and can be used in a little
[27:55.960 --> 28:02.180]  different way than kind of just the sharing pictures and family and friends aspect of it.
[28:02.180 --> 28:07.080]  But the professional societies hadn't really come around to it. So really,
[28:07.080 --> 28:15.100]  my career changed with a slide from Queen Elizabeth. Because when I showed Queen Elizabeth's
[28:15.100 --> 28:20.880]  Facebook page, and that we were not, you know, adopting new technology, even at the speed of
[28:20.880 --> 28:26.620]  Queen Elizabeth, I really do think that that was persuasive. So I think, while I have been given
[28:26.760 --> 28:32.640]  a fair amount of credit for kind of ushering ACOG into social media, a lot of it was Queen
[28:32.640 --> 28:39.080]  Elizabeth's influence. And so the work on social media began really with a legislative interest
[28:39.080 --> 28:44.580]  to kind of share stories and new legislative items that were coming up and to kind of get
[28:44.580 --> 28:50.520]  get awareness in a way that was a little more fun and socially engaging. That pretty quickly
[28:51.300 --> 28:57.900]  transitioned from social media to anything that engaged with apps on your phone. And while they
[28:57.900 --> 29:01.880]  are very different, you know, it's different to have an app on your phone that say is a step
[29:01.880 --> 29:06.920]  counter from having a social media profile. There was enough of a connection through the mobile
[29:06.920 --> 29:14.720]  devices that social media and mobile media, you know, overlapped. And I was doing my health policy
[29:14.720 --> 29:20.520]  training at the University of Pennsylvania, where they very astutely had formed the Social Media
[29:20.520 --> 29:27.060]  and Health Innovation Lab. So I joined them. And that was really the professional intersection of
[29:27.060 --> 29:32.440]  studying the big data and the new types of metrics we get from things like Twitter, like
[29:32.440 --> 29:40.060]  tracking flu season by tweets and those kinds of studies. And from there, you know, it really has
[29:40.060 --> 29:46.440]  been just kind of a series of progressions where you go from tracking health information via
[29:46.440 --> 29:52.380]  Twitter to health information via a wearable device, which, you know, has at least a commonality
[29:52.380 --> 30:01.000]  of connecting through apps. And ultimately kind of landed where we are now, which is a
[30:01.000 --> 30:05.140]  version of telehealth that is very different from social media profiles, but it relies on things
[30:05.140 --> 30:12.740]  that, you know, engage through wearable devices, patient-generated data, app connections. And then
[30:12.740 --> 30:17.220]  like what we're doing here, which has become routine in COVID era, which is the virtual visits.
[30:17.920 --> 30:24.020]  And obviously it's exploding right now. So that's kind of a brief synopsis of how I went from
[30:24.020 --> 30:28.840]  talking about Queen Elizabeth's Facebook page to doing virtual visits around the clock.
[30:29.060 --> 30:33.340]  So you gave an acronym and I'm not sure if people know what it is. So what's ACOG?
[30:33.340 --> 30:38.040]  Yeah. ACOG is the American College of Obstetricians and Gynecologists.
[30:38.240 --> 30:42.160]  So I want to dive into that because that's the kind of physician you are, correct? You
[30:42.160 --> 30:46.380]  deliver babies, you take care of moms. Right. So I'm a board certified OBGYN
[30:47.440 --> 30:51.220]  and the chair of telehealth for the professional society, ACOG.
[30:51.400 --> 30:56.040]  Perfect. So I think a lot of people, when they think of going to the hospital now,
[30:56.040 --> 30:59.920]  because of COVID, they're going in for tests and they're going in because they have COVID.
[30:59.920 --> 31:06.080]  But the one surgical suite that stayed open the whole time, or at least generality,
[31:06.080 --> 31:12.060]  stayed open the whole time was yours. So can you talk about what happened,
[31:12.060 --> 31:16.860]  what changed during the COVID? Just get into that.
[31:17.280 --> 31:21.860]  As with everything, it has been a series of moving targets and
[31:21.860 --> 31:28.220]  adaptions and adapting to maybe an overreaction. So a lot of it has changed, but the overall
[31:28.220 --> 31:35.500]  essence of it was the obvious necessity for still having inpatient care. So the recommendation has
[31:35.500 --> 31:41.840]  always been to come and receive your maternal care in a hospital, whether it's a delivery or
[31:42.160 --> 31:47.280]  a triage evaluation, management of blood pressure. In other words, not recommending going outside the
[31:47.280 --> 31:56.720]  hospital. And to make that as safe as possible, there were a number of new protocols. Some just
[31:56.720 --> 32:02.120]  limited who could be in the hospital. So a lot of it was keeping it to be just the patient and
[32:02.120 --> 32:07.080]  maybe one support person, which would often be, say, a spouse or a family member. Whereas the
[32:07.080 --> 32:11.700]  intention before COVID would have been to have multiple support people, either multiple family
[32:11.700 --> 32:19.360]  members or a doula or someone like that. So that initially changed. And there were some,
[32:19.360 --> 32:26.360]  unfortunately, kind of rigid policies that did change the birth experience and definitely
[32:26.360 --> 32:32.660]  changed the postpartum experience. As we've gotten better at rapid testing and symptom screening
[32:32.660 --> 32:39.440]  and mask wearing and PPE, those have become a little more lenient. But there still is an
[32:39.440 --> 32:44.320]  emphasis on getting patients in and out of the hospital as quickly as possible. So going home
[32:44.320 --> 32:50.000]  on day one after a vaginal delivery or day two after a c-section would be accelerated in normal
[32:50.000 --> 32:55.580]  situations, but it has kind of become routine right now. And then there's the whole
[32:55.580 --> 33:00.820]  testing element, where if you test positive, there is a whole other kind of precautionary
[33:00.820 --> 33:06.080]  protocol that gets put into place. And it does mean wearing more masks than you're probably used to
[33:06.620 --> 33:12.960]  for the patient. Definitely means more PPE for the providers. So it looks like a much more kind of
[33:12.960 --> 33:22.440]  medicalized version of the delivery, which is the safest thing we have right now.
[33:23.000 --> 33:28.240]  So you talked about social media and the way that it's working into better patient care. Are
[33:28.240 --> 33:34.100]  you familiar that the FDA is working on something like that, that they're bringing in all of that?
[33:34.100 --> 33:42.260]  Can you speak to that a little bit? So yeah, I can speak. I'm not part of that personally.
[33:42.280 --> 33:46.600]  So is that a call to action that you want to express? I may be expressing that for you.
[33:46.600 --> 33:54.040]  Yeah, it's definitely a call to action in that we need these kind of bi-directional flow of
[33:54.040 --> 34:00.000]  information. We need patients who can more directly interact with decision makers and
[34:00.000 --> 34:05.240]  with people who are making the health policies. It's a little bit different, I think, than
[34:05.240 --> 34:09.560]  initially you're talking about, but one of the most effective waivers during this COVID era
[34:09.560 --> 34:16.400]  was the allowance of different devices so that everybody can access virtual health,
[34:16.400 --> 34:19.520]  even if they don't have, say, some of the infrastructure that's not available in all
[34:19.520 --> 34:27.120]  communities. And examples of that would be like Skype, FaceTime. Most communities now,
[34:27.120 --> 34:32.600]  whatever the resource setting is, do have access to cell phones and enough,
[34:32.600 --> 34:37.700]  either Bluetooth or internet, that they could do a FaceTime visit or a Skype visit.
[34:39.060 --> 34:47.020]  So, what kind of interactions have you had with the security researcher community? And
[34:47.020 --> 34:50.520]  are you getting into that realm? Are you in that realm?
[34:52.240 --> 34:57.200]  We're wading in. We're probably about knee-deep right now. So, there's definitely an adult
[34:57.200 --> 35:03.140]  swim deep into this that we have not gone into. But even in the shallow waters, it's been
[35:03.140 --> 35:10.320]  very enlightening. Because what we want to see happen with this telehealth revolution
[35:11.140 --> 35:18.480]  is the best kind of transition from optimizing the benefits without falling prey to the pitfalls.
[35:18.480 --> 35:24.960]  And we know with any new technology that those pitfalls are there, often unintended. So,
[35:24.960 --> 35:30.220]  kind of a classic example would be any scientific discovery that, at an extreme,
[35:30.220 --> 35:37.580]  became very dangerous. Nuclear fission comes to mind. And when it comes to Facebook and social
[35:37.580 --> 35:41.500]  media, I think the extreme of that in the negative is pretty obvious right now, with all of the
[35:41.500 --> 35:47.380]  misinformation and all the ways that social media can negatively influence public perception of
[35:47.380 --> 35:54.600]  pseudoscience or influence elections. And what we want to do is harness the power of these things,
[35:54.600 --> 35:59.740]  because social media has also enabled Black Lives Matter and the Me Too movement. We want to
[35:59.740 --> 36:05.840]  maximize the good and minimize the bad. And we're learning right now what are the, you know,
[36:05.840 --> 36:09.740]  to switch analogies for a second, in vehicle safety, you know, what are the
[36:10.680 --> 36:17.400]  anti-lock brakes and seatbelts and air traffic control of telehealth? And, for example, in the
[36:17.400 --> 36:24.040]  kind of entry-level interaction I've had with the cybersecurity community, we don't have much
[36:24.040 --> 36:29.660]  training on the physician side. So, you know, when a doctor is talking about a device that might be
[36:29.660 --> 36:35.900]  beneficial to a patient, say like a remote blood pressure device, they probably, you know,
[36:35.900 --> 36:40.940]  genuinely just don't have a lot of training or information about the nuts and bolts of how that
[36:40.940 --> 36:45.860]  works and how safe the data is. They know to ask about it, they know to be concerned about it,
[36:45.860 --> 36:51.700]  but they don't have like the deeper level understanding. That's just one example of how,
[36:51.700 --> 36:58.320]  you know, data privacy is totally intimately intertwined with this, and doctors do have
[36:58.320 --> 37:03.480]  questions about it. So, I have two things for you. This year at the Biohacking Village,
[37:03.940 --> 37:07.900]  Andrea Downing is talking about disinformation on social media, and you should also have a
[37:07.900 --> 37:12.020]  conversation with Dr. Christian DeMeth and listen to his panel on Do No Harm. I can send you those
[37:12.020 --> 37:18.400]  links after. And the last thing I want from you is how can we as a community, the hacker community,
[37:18.400 --> 37:25.020]  cybersecurity community, help you in whatever next step it takes to get mid-thigh into that water?
[37:25.020 --> 37:30.720]  Yeah, well, exactly what you just proposed. I think we need a lot of these cross-disciplinary
[37:31.700 --> 37:37.060]  conferences. I think we need to be going to each other's lectures and learning each other's worlds
[37:37.280 --> 37:42.420]  a little bit first, and then finding out all the intersections. I do think ultimately,
[37:43.240 --> 37:48.580]  there's going to be a role for a lot of these conversations to take place outside the patient
[37:48.580 --> 37:56.140]  encounter. It's already such a short time we have to talk to patients about the things that we're
[37:56.140 --> 38:02.000]  trained in extensively, the immediate health of the patient right in front of us. To then dive
[38:02.000 --> 38:07.840]  into really complex topics about cybersecurity and patient-generated data and where that data
[38:07.840 --> 38:12.880]  sits and how protected it is, not only is it maybe beyond the scope of our time limits,
[38:12.880 --> 38:18.240]  it might be on the scope of our expertise. So I think finding a way that we can get patients
[38:18.240 --> 38:22.360]  the answers to those questions and get a well-informed citizenry of doctors to feel
[38:22.360 --> 38:27.720]  comfortable enough that they can confidently recommend the devices without having to get
[38:27.720 --> 38:33.880]  into all the deep weeds or deep end of the pool about exactly how it works. Finding the trusted
[38:33.880 --> 38:38.660]  sources to say, I don't know exactly how it works, but these guys do and we trust them. And so
[38:39.520 --> 38:42.240]  here's your kind of safety measures.
[38:42.240 --> 38:47.240]  Yet another plug. Meg Dewar is working on a cybersecurity informed consent
[38:47.840 --> 38:52.460]  project that would help patients and help you folks get that information to them.
[38:52.460 --> 38:57.100]  So this is the last question. What is your shameless plug for this conversation?
[38:57.460 --> 39:04.200]  My shameless plug is to have a post-COVID world that looks a lot like the current
[39:04.960 --> 39:11.060]  waivers and adaptations. So it doesn't mean that we have to continue all visits via Skype or
[39:11.060 --> 39:17.400]  FaceTime, for example. Even among the adopters, most have moved away from that already. They use
[39:17.400 --> 39:22.020]  things that are HIPAA compliant. It's a nice backup to have. But that's not the waiver that
[39:22.020 --> 39:26.980]  we're looking for. But we do need a lot of these other waivers to continue. We need doctors to
[39:26.980 --> 39:31.340]  see patients without, for example, a prior existing patient-doctor relationship. We can
[39:31.340 --> 39:37.180]  establish that for the first time virtually. We really need the cross-state lines flexibility.
[39:37.740 --> 39:43.720]  In fact, a totally shameless plug would be to have something akin to a national medical license,
[39:43.720 --> 39:46.900]  where if you're licensed in one state, you can practice anywhere, the same way that you can
[39:46.900 --> 39:50.920]  prescribe anywhere in the United States with a DEA number, or you can drive anywhere in
[39:50.920 --> 39:56.040]  the United States with a driver's license. We need payers to continue to fund this.
[39:56.040 --> 40:01.820]  They've been doing an admirable job adapting to the current climate. We need that to continue.
[40:01.820 --> 40:13.760]  And we need the people using it right now to be open to still some reining in of all the
[40:13.760 --> 40:18.720]  new technology. In other words, we know that things like virtual visits and online care
[40:18.720 --> 40:25.240]  are still prone to overuse and fraud and all the things that in-person care is prone to.
[40:25.240 --> 40:31.380]  So while I'm calling for many of the waivers to stay in place and not be reenacted, we will need
[40:31.380 --> 40:36.200]  some new things that come in and we need to be open to those so we can continue to use it safely.
[40:36.440 --> 40:37.800]  Thank you so much.
[40:38.160 --> 40:39.740]  Thank you.
[40:39.740 --> 40:40.800]  Hey girl, hey.
[40:40.800 --> 40:43.880]  Hey girl, hey, hey, hey.
[40:43.980 --> 40:50.300]  This is Najla Lindsay. She is on the board with us. She helps us do the things and accomplish
[40:50.300 --> 40:55.220]  all the things that you're about to experience. I have a question.
[40:55.880 --> 40:59.700]  I may have some answers, Nina. I may have some answers for you.
[40:59.880 --> 41:01.040]  Are you ready?
[41:01.380 --> 41:02.620]  I'm gonna get into it.
[41:02.620 --> 41:06.520]  So what's your origin story? Two, three sentences.
[41:07.780 --> 41:19.080]  Forensic scientist lover, wine lover, and I am here to share forensic science and information
[41:19.080 --> 41:24.760]  security is hand in hand. That's just, that's the bottom line. They are lifetime lovers and
[41:24.760 --> 41:30.760]  part-time friends right now and I need them to be full-time friends as well as the lifetime lovers.
[41:30.760 --> 41:33.040]  So that's it in a nutshell.
[41:33.120 --> 41:37.000]  I was going to ask about your shameless plug, but you clearly already got this because that
[41:37.000 --> 41:41.500]  was the title of your talk for last year. So hashtag go to YouTube.
[41:41.680 --> 41:42.840]  It's all in there.
[41:46.380 --> 41:51.520]  You're up and coming as a researcher. You're doing all the things. What do you need from
[41:51.520 --> 41:56.240]  our community to help you get to that next level? Because if anybody follows you on the Twitters,
[41:56.240 --> 42:02.220]  you just, it's all the time every day doing the things. How can we help you?
[42:02.740 --> 42:09.540]  How can we help? How can you help me? You know, share, you know, the resources that I share,
[42:09.540 --> 42:16.700]  share things that I'm doing with the community and reach out to me. I'm always open to have
[42:16.800 --> 42:21.800]  a discussion. I'm always open to learn something new. I don't know everything and I think that
[42:21.800 --> 42:28.640]  the community is full of experts and people that know so much that there needs to be a bridge
[42:29.320 --> 42:36.060]  to, you know, career transitioners like myself and, you know, recent graduates and, you know,
[42:36.060 --> 42:41.460]  the people that have been in the industry for years. So I'm always willing to have a conversation,
[42:41.460 --> 42:50.720]  talk to you, share my resources, and, you know, just be genuine and in your reach as well.
[42:51.140 --> 42:56.400]  Because it's no sense in being fake with me. I'm not fake with anybody. Just be genuine in your
[42:56.400 --> 43:02.880]  reach and reach out to me, talk to me, and teach me something new. Learn something new every day.
[43:04.520 --> 43:12.100]  You talked about your forensic science work. How do you see the overlap of DFIR,
[43:12.100 --> 43:22.640]  science, security, technology, healthcare? It's all intertwined. And I like to tell people that,
[43:22.640 --> 43:27.840]  you know, a lot of people that are currently studying digital forensics, they don't know that
[43:27.840 --> 43:35.980]  that's actually a branch and a discipline in forensic science. And once people learn and
[43:35.980 --> 43:44.640]  actually take into their work that this is from a scientific discipline, what you do in digital
[43:45.460 --> 43:50.700]  forensics can go to court. Like, you can testify based on what evidence you have processed, what
[43:50.700 --> 43:55.780]  evidence you have found, what story you're telling. And that could be a make or break for someone. You
[43:55.780 --> 44:00.060]  can wind up putting someone in jail or you can wind up freeing someone and exonerating them from
[44:00.180 --> 44:05.980]  a crime that they've probably been in jail for for years. And so I always like to remind people that
[44:07.420 --> 44:12.180]  they are together, whether you like it or not. And I think that people forget that you have to
[44:12.180 --> 44:18.220]  take the scientific approach to a lot of things. That scientific method, we didn't learn that just
[44:18.220 --> 44:23.940]  to learn it. We learned it because it actually applies. You have a hypothesis and you have to
[44:23.940 --> 44:30.140]  test it out, not just once, not twice, various times and with various people. Because what I get
[44:30.140 --> 44:36.300]  when I do it will be a different result and can be a different result from what you get. And it
[44:36.300 --> 44:41.900]  doesn't hurt to share the information. You're not going to lose anything by sharing what you learn.
[44:42.080 --> 44:49.560]  And I think that it will forever be intertwined as digital forensics gets more popular
[44:49.560 --> 44:55.800]  because that's also taking the turn and being the talk of the town of cybersecurity,
[44:56.340 --> 45:02.700]  information security. I think it's important that people remember or know, just even learn that
[45:02.700 --> 45:09.240]  this is a part of forensic science. This is a science discipline. And the more you think
[45:09.240 --> 45:14.380]  methodically about it, the better you will be as a practitioner in the field. And that's either as
[45:14.460 --> 45:22.600]  a researcher or if you're working full-time as well. So not a lot of people consider digital
[45:22.600 --> 45:27.880]  forensics in healthcare because there are no laws surrounding it. If something goes wrong,
[45:27.880 --> 45:34.240]  you re-image it, you keep moving, you keep going. How do you see the transition happening? Is it
[45:34.240 --> 45:41.280]  happening? Is it going to happen? What do you see the future? So with healthcare, I find that
[45:41.280 --> 45:47.960]  they're always at least five to 10 years behind on making the transition to updated technology,
[45:47.960 --> 45:52.500]  just in general. Just switching to have Windows 10 on all of their computer systems in the hospital
[45:52.500 --> 45:59.480]  can sometimes take much longer than private organizations or government organizations.
[45:59.480 --> 46:07.140]  And so I think that the healthcare industry is still catching up. Healthcare, a lot of people
[46:07.140 --> 46:12.300]  didn't think about, oh, I have to worry about securing this device and making sure someone
[46:12.300 --> 46:17.040]  don't try and trip it and increase, you know, let's say you take insulin, you have an insulin pump,
[46:17.040 --> 46:22.340]  and increase my insulin pump or, you know, mess with the anesthesiologist who is very important
[46:22.340 --> 46:29.100]  during surgery because one wrong dose can kill somebody. So your hospital go down and your
[46:29.980 --> 46:35.000]  anesthesiology equipment is on a network and somebody decides to play with it,
[46:36.240 --> 46:43.180]  you're just completely out of luck. So I think that as more people are aware of, you know,
[46:43.180 --> 46:47.780]  the biohacking village, as more people are aware of, you know, healthcare and medical device security
[46:47.780 --> 46:55.060]  and how important that it is to think about security at the beginning and not the after effect,
[46:55.060 --> 47:00.200]  I think that people will start to realize, oh crap, we actually have to take care of this.
[47:00.200 --> 47:04.420]  And I think if manufacturers, there's a couple manufacturers that I know that they started
[47:05.780 --> 47:11.420]  implementing on their websites where you can learn about stuff that has issues. And so they
[47:11.420 --> 47:16.600]  want to make sure that the community is aware so that, you know, they're doing, they have their
[47:16.600 --> 47:21.380]  methods to build in and make sure that everything works better. I think the more that people
[47:21.380 --> 47:29.320]  actually have conversations because as much as big and as much as cybersecurity is, they don't
[47:29.320 --> 47:33.480]  talk to each other. Like people within the industry and the organizations don't talk to each
[47:33.480 --> 47:38.580]  other. It's like a hush hush thing. And I just feel like this is actually the same thing in
[47:38.580 --> 47:43.660]  forensic science too. But I think that the more that you talk, the better we can come together
[47:43.660 --> 47:48.620]  and the better we can build these, you know, these instruments and these medical devices,
[47:48.620 --> 47:54.460]  because that's the only way we're going to make healthcare better for everyone. It's not about,
[47:54.460 --> 48:00.700]  oh, you get access to healthcare and you don't. You have to think security at the forefront and
[48:00.700 --> 48:04.640]  not at the, at the, at the end of it, because it actually costs you more when you think about it
[48:04.640 --> 48:11.080]  at the end versus with it in mind as you're doing it. So it's all intertwined, all of it.
[48:11.820 --> 48:18.500]  So in recent history, you were part of, share the mic, in cybersecurity.
[48:18.760 --> 48:19.980]  Oh yeah.
[48:21.600 --> 48:26.700]  So what was, what was that like? What were the outcomes?
[48:27.860 --> 48:36.240]  Um, that was like one of the best things that I've ever been a part of. Um, and, you know,
[48:36.240 --> 48:42.940]  I, when I got paired with Rachel Toback of WISP, you know, I had known of Rachel. I hadn't really
[48:42.940 --> 48:48.100]  talked to her as much, but I had known of Rachel because I wind up being able to receive a WISP
[48:48.100 --> 48:52.760]  scholarship last year for DEFCON. So that was very helpful in me attending DEFCON.
[48:52.760 --> 49:00.500]  And on top of that, we just clicked instantly. I learned so much about her. Um, and we put a plan
[49:00.500 --> 49:05.400]  together. We put a plan because, because you're, you're on Twitter. You're not necessarily doing
[49:05.400 --> 49:09.740]  videos. It's a tweet and you put together some tweets. We put together some tweets. We put
[49:09.740 --> 49:13.220]  together an action plan and just talked about, you know, what it is that I'm trying to do,
[49:13.220 --> 49:17.980]  what it is that you're looking for. Um, you know, certifications that you're doing
[49:17.980 --> 49:23.980]  and all of the like. And so we put it together Thursday night, everything was set.
[49:24.300 --> 49:30.480]  And then Friday, everything, I was at work. I still work in my forensic science industry. So
[49:30.480 --> 49:34.240]  I was at work when all of this was going on, but I knew what the tweets were because we talked
[49:34.240 --> 49:41.520]  through them and we worked through them. And I wanted, you know, funding for my certifications.
[49:41.800 --> 49:46.080]  And I wanted to attend the SANS class. And we know, you know, SANS has been,
[49:46.680 --> 49:53.380]  um, looked at as like one of the main industry certifications to achieve and attend that class.
[49:53.380 --> 49:59.060]  And so I was fortunate to be able to receive a full scholarship to attend one of their classes.
[49:59.060 --> 50:06.160]  I was able to get all of my certification, um, certification costs covered. And then
[50:06.160 --> 50:12.520]  they wind up covering all of the black cybersecurity professionals, um,
[50:12.520 --> 50:20.880]  certifications and trainings. And to, to still, you know, make that, you know,
[50:20.880 --> 50:26.200]  hey, I'm going to still get all of these people, um, make that the forefront and say, hey, I'm,
[50:26.200 --> 50:32.740]  I want these people to progress. I want these people to win. Um, I think that that was amazing.
[50:32.740 --> 50:41.340]  It felt amazing. And I was elated, um, all day at work. I was on my, I was just so elated at work.
[50:41.340 --> 50:45.520]  They couldn't even tell me, they was like, are you okay? I'm like, I'm not sure, but I'm here
[50:45.520 --> 50:50.980]  and I'm going to get my work done. But it was so amazing. Um, and then later on in the day,
[50:50.980 --> 50:56.240]  Rachel and I actually went live on Periscope and we had a discussion about, you know, you know,
[50:56.240 --> 51:02.980]  being black in the industry, um, and what it is that people can do to help black cybersecurity
[51:02.980 --> 51:10.460]  professionals. And so, um, that whole day was just full of adrenaline and full of, you know,
[51:10.460 --> 51:15.700]  happiness and gratitude, um, and people using their platform to promote other people's voices
[51:15.700 --> 51:20.980]  that don't typically have a voice. So I loved it. Um, and Rachel and I are still building our
[51:20.980 --> 51:24.660]  relationship in the background and learning about each other and things like that. And I think
[51:24.660 --> 51:29.960]  all of the participants are also doing that. So it was, it was amazing. I hope that it continues
[51:29.960 --> 51:37.160]  to grow into something much larger, um, going forward. How can the biohacking village participate
[51:37.160 --> 51:43.080]  or do better with it? Um, you, as a biohacking village, I think that
[51:44.520 --> 51:49.640]  you have to make a conscious effort. And then to some people, it may look like you're being biased
[51:49.640 --> 51:54.580]  because you may focus on underrepresented minorities or things like that. And I think
[51:54.720 --> 51:58.520]  a good way, because normally the biohacking village just does an event during DEF CON,
[51:58.520 --> 52:04.280]  right? Um, I think that, you know, during the year, you know, after, you know, a couple of
[52:04.280 --> 52:11.920]  months later down the line, do, do... Are you secret dropping? You got to cut this out.
[52:12.340 --> 52:18.660]  No, I'm just telling you what I think. I'm just telling you things that I think that would be
[52:18.660 --> 52:23.800]  helpful. You know, maybe start a partnership or a mentor program with, um, you know, some people,
[52:23.800 --> 52:30.340]  get people involved in, in it and promote it, you know, consistently. Um, you know,
[52:30.340 --> 52:34.680]  especially during, uh, Cybersecurity Awareness Month, everybody participates in it, right?
[52:34.680 --> 52:40.540]  Like last year I did that. I was dropping random tips of the day, like, and doing that. I think
[52:40.540 --> 52:46.220]  that the more that people learn that the biohacking village is out there, the more that people will
[52:46.220 --> 52:52.000]  want to participate and know about, you know, healthcare and medical device security. I think
[52:52.000 --> 52:59.740]  that is, you know, keep, you know, tweeting and sharing, you know, information and reaching out
[52:59.740 --> 53:05.960]  and being personable. I think that's all going to do a world of good as we continue to grow,
[53:05.960 --> 53:09.000]  because I'm not going anywhere. Nina, you're stuck with me, just so you know.
[53:09.000 --> 53:10.460]  I was never letting you go.
[53:10.520 --> 53:12.080]  Okay, just so we're clear here.
[53:12.080 --> 53:13.560]  I was never an option.
[53:17.700 --> 53:20.160]  So what's your controversial opinion?
[53:20.880 --> 53:39.270]  Whew, um, wow, you tripped me up here. Good one, actually. Um, my controversial opinion is that
[53:40.950 --> 53:44.590]  I, I see,
[53:46.290 --> 53:52.490]  I see people being performative on making sure that Black people get heard in the
[53:52.490 --> 53:58.710]  industry. But it means nothing, because you're not actually doing anything. And I can see right
[53:58.710 --> 54:05.250]  through you pretending to do anything. And I think that, you know, even with share the mic and cyber,
[54:07.370 --> 54:11.930]  it's, I feel like it'll be a moment in time for some people, and for a lot of people,
[54:11.930 --> 54:19.570]  because you have the same type of people at the top of the industry. And they have a lot of say.
[54:19.570 --> 54:25.990]  And it, and the industry follows a lot of what those top people say. So I think sometimes,
[54:25.990 --> 54:34.450]  you know, doing all of this and making sure that, you know, people get heard.
[54:36.590 --> 54:43.270]  Let's check back around wintertime and see what's been happening. Because I know, or I feel,
[54:43.270 --> 54:45.910]  that stuff's not going to look the same.
[54:47.290 --> 54:51.150]  So, controversial opinion. What's your call to arms?
[54:51.890 --> 55:01.030]  My call to arms is don't talk about it, be about it. Go make for the next, listen, we're in Rona.
[55:03.050 --> 55:11.210]  It's Rona. You're like, it's coronavirus. Most states, most countries are locked down.
[55:12.250 --> 55:18.930]  Reach out to somebody in the industry, not a white person.
[55:20.910 --> 55:25.730]  Not, no, no, no, not a white person, not a white male, not a white female.
[55:26.230 --> 55:31.410]  Somebody that does not look like you, that you've never actually talked to either, because you can
[55:31.410 --> 55:35.830]  tend to have a bias against the people that you've already known. And you just choose that because
[55:35.830 --> 55:39.950]  that's your comfort zone. No, no, no, no, no, we want you out of your comfort zone. We want you
[55:39.950 --> 55:47.590]  to be held accountable for your thoughts, your feelings, and your words, and your actions.
[55:47.790 --> 55:56.610]  Reach out to somebody, a black person, a Latino person, an Asian person, somebody not related
[55:57.180 --> 56:02.150]  to you in any way, fashion form that you've never talked to, and get to know them genuinely.
[56:02.150 --> 56:11.510]  Don't expect anything in return, nothing. I mean, not an ounce of nothing.
[56:12.790 --> 56:20.650]  See what happens to yourself as you choose to develop a relationship with someone with no
[56:20.650 --> 56:28.750]  transactional expectations. See what happens to yourself, not for them, for you. Because
[56:28.750 --> 56:34.190]  I can guarantee you, when you start to do stuff without expecting anything in return,
[56:34.190 --> 56:42.210]  you feel good. And you realize that the stuff, and the values, and the beliefs that you have now,
[56:42.210 --> 56:47.890]  they can change. They don't have to be there for the rest of your life. And your life's not going
[56:47.890 --> 56:53.110]  to end because you've changed a value or belief. It's not going to end. It's only going to get
[56:53.110 --> 57:00.090]  better. And if it don't get better, I'm sorry, you're not growing. And you're going to be stuck.
[57:00.650 --> 57:06.870]  So choose somebody you've never talked to. Go on LinkedIn. LinkedIn is the place of people
[57:06.870 --> 57:13.650]  just, I feel like they just Google and just reach out to people. Go on LinkedIn. Check Twitter.
[57:14.290 --> 57:21.510]  Check hashtags. Go on there. Go talk to someone. Build a genuine relationship. Find out about them.
[57:21.510 --> 57:28.450]  Reach out and take it from here. Commit to it for the next six months. I'll make it easy. I won't even
[57:28.450 --> 57:32.810]  say a year. For the next six months. Into the new year. Actually, it's five. Let's make it into
[57:33.270 --> 57:39.530]  January 2020. And see what happens. And reach out to me on Twitter and tell me what happened
[57:39.530 --> 57:45.730]  when you did this. Because I would like to know. I love that. That's it. I love the passion you
[57:45.730 --> 57:56.130]  bring to pretty much every single conversation. Let's do it. Thank you. You are very welcome.
[57:56.150 --> 58:02.550]  So fun fact about this quarantine is Canibal and I started cooking together on the weekends.
[58:03.330 --> 58:10.090]  Three hour time difference. He's Mexican. I'm Puerto Rican. We started making dishes from each
[58:10.090 --> 58:15.290]  other's cultures. It opened up our eyes. We're like super homies now. It's amazing. It is
[58:15.730 --> 58:22.130]  probably one of the best friendships I have ever cultivated. And thank you for being on here.
[58:25.770 --> 58:35.070]  So quick, just to get to know you, question. Two lines, one minute. What's your origin story?
[58:36.210 --> 58:40.570]  All right. Origin story. It's going to be a little bit more than two lines.
[58:40.570 --> 58:48.010]  But I started out in the medical industry. This was 12-ish years ago for a medical device
[58:48.010 --> 58:54.670]  manufacturer. And it's kind of how I got into medical and how I got into security where
[58:55.230 --> 59:02.070]  I was brought in actually more of a support role. And I noticed that, hey, these devices
[59:02.070 --> 59:07.430]  aren't being patched. Nobody's really taking the lead on this. So I just started doing it
[59:07.430 --> 59:15.910]  on top of my other stuff. And that was kind of it. At one point, it started rolling up into,
[59:15.910 --> 59:21.850]  oh, hey, hospitals are starting to get hit with ransomware. This is kind of a big deal.
[59:21.850 --> 59:25.870]  I'm like, yeah, I've been doing this for years because you guys didn't care about it.
[59:25.870 --> 59:32.170]  Right. Perfect segue. So you've been around the industry for a super long time. So you've seen
[59:32.170 --> 59:39.270]  it go from health care instantiation with technology and security to where we are now.
[59:39.270 --> 59:43.370]  What are the biggest differences you see and how much do we still have to go?
[59:44.330 --> 59:53.090]  There is still so much work that needs to be done. So, so much work. I think people are more aware.
[59:53.790 --> 59:57.490]  I'm talking about a populist standpoint, not so much the medical industry, but people are more
[59:57.490 --> 01:00:03.730]  aware of their data, the sensitivity of things, and that security is important, especially on
[01:00:03.730 --> 01:00:09.890]  devices that are connected to people or those people are relying on those devices for their
[01:00:09.890 --> 01:00:21.390]  safety and their well-being. Things were a mess. They're still a mess, but not as much of a mess.
[01:00:22.190 --> 01:00:28.470]  I think a lot of it has to do with, one of the things is the regulations, HIPAA.
[01:00:29.070 --> 01:00:35.510]  There's not enough there. Their heart's in the right place, but they have no way of enforcing
[01:00:35.510 --> 01:00:41.290]  it. The claws have no teeth. Claws have no teeth. That's kind of funny because it sounds like it's
[01:00:41.450 --> 01:00:50.210]  a cat. A healthcare cat? Right. So, I'm going to bend you on that. Okay. So, what would give
[01:00:51.850 --> 01:00:58.370]  healthcare policy makers, regulators more teeth? How do they, and just an extension of that,
[01:00:58.370 --> 01:01:04.810]  so then how do they engage more with the sec community hackers to make this better?
[01:01:05.370 --> 01:01:07.950]  How would you like to be engaged by these people?
[01:01:07.950 --> 01:01:15.410]  Yes. So, that's kind of a, there's no quick, easy answer to it, unfortunately, but
[01:01:15.910 --> 01:01:20.910]  this isn't a new issue. We've known about this for a really long time. It's one of those things
[01:01:20.910 --> 01:01:28.750]  where if we, if something were just started now, in five, six years from now, we could look back
[01:01:28.750 --> 01:01:32.630]  and say, oh, yeah, we still don't have a great plan, but there's something, there's at least
[01:01:32.630 --> 01:01:41.290]  this momentum that we can build off of. Getting some sort of enforcement policy in place, and
[01:01:41.290 --> 01:01:47.110]  that usually comes with auditors or someone that would like basically go to each hospital.
[01:01:47.970 --> 01:01:53.390]  Some sort of government funding would be helpful because a lot of the hospitals,
[01:01:53.610 --> 01:01:56.550]  a lot of people think that hospitals are making money hand over fist because of how much they
[01:01:56.550 --> 01:02:01.870]  cost, but they're just, they're trying to break even. A lot of hospitals are running in the red.
[01:02:03.790 --> 01:02:07.450]  And they really don't have the money. A lot of them don't even have IT staff.
[01:02:07.650 --> 01:02:12.090]  A lot of them outsource their IT, and it's one of those things where the doctor will call up and
[01:02:12.090 --> 01:02:17.150]  say, hey, I want to be able to check my x-rays or whatever from home, punch this hole through
[01:02:17.150 --> 01:02:22.730]  the firewall so I can get access to my machines. Having some sort of standardized
[01:02:23.810 --> 01:02:29.510]  IT policy for hospitals that the government can say, hey, here's a framework, you can either use
[01:02:29.510 --> 01:02:34.830]  this or use your own, but you got to use something. That would be a huge step forward,
[01:02:34.830 --> 01:02:39.770]  just having some sort of basic guideline so that the hospitals aren't fumbling around in the dark
[01:02:39.770 --> 01:02:45.070]  trying to figure this out. Newer hospitals tend to be better, but there's so many old hospitals
[01:02:45.070 --> 01:02:49.990]  that are just kind of like cobbling things on as they go. Most hospitals...
[01:02:51.290 --> 01:02:51.790]  What's that?
[01:02:51.790 --> 01:02:56.810]  Working with those legacy devices that they have to continue to integrate and continue to protect
[01:02:56.810 --> 01:02:58.930]  with the other things that are coming in.
[01:02:58.930 --> 01:03:02.910]  A lot of hospitals, especially on the East Coast, have been around since before computers were even
[01:03:03.050 --> 01:03:10.590]  a thing. Yeah, right, it's crazy. Technology. A lot of them are like, how do I use this fax machine?
[01:03:10.590 --> 01:03:13.710]  I almost took that personal. I was like, what do you mean? Are you talking about New York
[01:03:13.710 --> 01:03:14.770]  specifically?
[01:03:15.050 --> 01:03:17.030]  Yeah, especially New York.
[01:03:17.370 --> 01:03:22.870]  No, it's actually true, right? So you're not in healthcare anymore, right?
[01:03:22.870 --> 01:03:26.970]  No, I am no longer in healthcare. I've been out for maybe three or four years.
[01:03:26.970 --> 01:03:30.490]  So I don't know if you want to talk about the industry you're in, but how does that industry,
[01:03:30.490 --> 01:03:34.190]  how can that industry that you're currently in influence what healthcare is doing?
[01:03:34.850 --> 01:03:44.830]  So I'm a Threat Hunter Red Team for local government. And just having... so my issue
[01:03:44.830 --> 01:03:54.170]  with that type of work is the hospitals just need the basics. It's great that these devices
[01:03:54.170 --> 01:04:00.430]  on the user side have two or MFA, usually three forms of authentication in order to be able to
[01:04:00.430 --> 01:04:06.610]  pull meds or change access to a patient's record. But on the admin side of things, a lot of those
[01:04:06.610 --> 01:04:11.370]  don't have multi-factor authentication. It's single auth. So it's great that the users have
[01:04:11.370 --> 01:04:17.570]  to do this, but the admins don't. The technical side of things is just like, it's just oftentimes
[01:04:17.810 --> 01:04:24.990]  a reused password across the vendor. And I mean, pick your vendor a lot. Pretty much all of them
[01:04:24.990 --> 01:04:32.350]  have it. So what's your call to action for healthcare or the hacker community, whoever?
[01:04:34.750 --> 01:04:39.690]  So many things. There's so many things. One of them is just education.
[01:04:41.330 --> 01:04:48.230]  Get educated on what hospital you're going to. What standards do they have? What equipment do
[01:04:48.230 --> 01:04:53.210]  they use? Ask them, how is my information going to be used? I mean, as a patient, this is what you're
[01:04:53.210 --> 01:04:58.930]  talking about. As a patient. As a patient. As a hospital, it'd be one of those things of like,
[01:04:58.930 --> 01:05:03.090]  yeah, holding your vendor a little bit more accountable as to what equipment they're putting
[01:05:03.090 --> 01:05:08.710]  on your network. So many of them basically say, hey, we're on your network. It's up to you to
[01:05:08.710 --> 01:05:14.410]  protect this equipment, not we're going to harden this stuff because, you know, we don't know what's
[01:05:14.410 --> 01:05:24.010]  there. And every hospital is different. There's no standardized network for hospitals. I keep
[01:05:24.010 --> 01:05:29.850]  kind of going back to the whole standardized policy thing of this is a basic framework.
[01:05:30.090 --> 01:05:36.510]  You're welcome to modify this as much as you want. But these are the basics. You need to,
[01:05:36.510 --> 01:05:43.350]  be able to segment off some of this equipment or have a standardized 2FA or MFA policy for
[01:05:43.350 --> 01:05:48.750]  your internal staff and admins. And if you're not going to have your on-site IT, these are
[01:05:48.750 --> 01:05:52.610]  the rules they have to play by. So what if it's a baseline where people just have to meet this
[01:05:52.610 --> 01:05:58.890]  very small criteria to meet? And then from there they can build up, but they cannot go below?
[01:05:58.890 --> 01:06:05.190]  Right. Who would be the organizing body to lead that or who would be involved in that?
[01:06:05.190 --> 01:06:12.390]  That would seem like it'd be kind of fall onto the FDA. And there's, they have some stuff,
[01:06:12.390 --> 01:06:19.010]  but it doesn't really call out a basic framework or some sort of structure that hospitals can,
[01:06:19.010 --> 01:06:23.450]  can fall back on if they have these questions that are going unanswered.
[01:06:24.850 --> 01:06:29.850]  So we're almost out of time. Okay. So what's your shameless plug?
[01:06:30.490 --> 01:06:36.350]  I don't have one. Just, just get angry, get, get informed and like realize how like,
[01:06:36.350 --> 01:06:43.030]  how poorly everything has been. They're like, this is this, none of this is new. We've,
[01:06:43.030 --> 01:06:48.250]  we've been talking about this for 10 years and very little has been done. One,
[01:06:48.250 --> 01:06:55.150]  one thing I will plug is if you look up the HHS breach report, whenever there's a breach,
[01:06:55.150 --> 01:07:00.810]  it has to be notified. It has to be reported and you can go and you can read these reports
[01:07:01.530 --> 01:07:07.450]  and you can see is like, Oh, look, 10,000 records just got breached or this other,
[01:07:07.450 --> 01:07:12.330]  you know, CVS got breached. There was one recently, I think within the last week for CVS
[01:07:13.170 --> 01:07:16.030]  in one specific area. And it's one of those things where it's like,
[01:07:16.030 --> 01:07:18.370]  I feel like nobody's really looking at this.
[01:07:18.370 --> 01:07:22.410]  Think about how CVS is networked, right? You can go to any CVS and pick up your meds.
[01:07:22.410 --> 01:07:27.270]  So it's not just a singular, a singular one area that got hit.
[01:07:27.270 --> 01:07:33.810]  If you go to Google and you just search for the HHS breach report, that's a hotel, hotel,
[01:07:33.810 --> 01:07:40.710]  Sierra breach report. It'll take you to a page and you scroll down and you look for
[01:07:41.210 --> 01:07:47.390]  breaches greater than 500 or less than 500. I don't know if there's a way to display them both
[01:07:47.390 --> 01:07:50.910]  for what I mean, it's a .gov site. So at least you're getting something.
[01:07:51.950 --> 01:08:00.030]  This, so the one I was just talking about is the CVS pharmacy and that's 21,000 records or not
[01:08:00.030 --> 01:08:05.610]  even records, but individuals. The next one down is 25,000. The one below that for university of
[01:08:05.610 --> 01:08:13.770]  Utah is 10,000, you know, 78,000 for the NCP healthcare management company. These are all
[01:08:13.770 --> 01:08:20.750]  within the last, you know, seven to 10 days. This is a lot. And, and it just, it just scrolls
[01:08:20.750 --> 01:08:24.710]  every, every day or every few days, there's just another one and another one and another one.
[01:08:25.090 --> 01:08:32.250]  And I feel like not enough people are looking at the breach report. And if you get enough people,
[01:08:32.250 --> 01:08:38.030]  you get enough eyes on this report, it kind of paints a picture of this is a really big issue.
[01:08:38.030 --> 01:08:44.630]  And if, if we just followed some basic practices, it could really prevent this. If, and it also
[01:08:44.630 --> 01:08:48.330]  shows you the, the location and the type of breach, you know, hacking IT incident,
[01:08:48.330 --> 01:08:55.070]  hacking IT incident, unauthorized access or disclosure. Those are the ones that you see
[01:08:55.070 --> 01:09:00.790]  the most. The, the one at the very top for Walgreens is theft, but, and, and the one below
[01:09:00.790 --> 01:09:05.190]  it is loss as well. But I mean, those are, those are all preventable things. These are,
[01:09:05.190 --> 01:09:13.690]  these are easy things that, that can be mitigated. Basic framework, just a very basic
[01:09:13.690 --> 01:09:20.570]  framework of how to handle passwords. 2FA has to be required for not just the medical staff,
[01:09:20.570 --> 01:09:25.670]  like the, the RNs getting the meds out of the machine, but the techs servicing the machines
[01:09:25.670 --> 01:09:31.330]  and, and the vendor companies that are putting this equipment in the hospital should have some
[01:09:31.330 --> 01:09:39.250]  degree of accountability for what they're introducing to the network. So we're going to
[01:09:39.250 --> 01:09:45.910]  see each other later because it's Friday for us and it's a cooking day. So here for later.
[01:09:48.030 --> 01:09:58.590]  Thanks. Later. So Sri, hi, how are you? Good. Thank you. How are you? I'm good. So
[01:09:59.390 --> 01:10:03.150]  tell us about yourself. Where do you work and a little bit about your origin story?
[01:10:03.710 --> 01:10:10.130]  Sure. Yes. I've been working on controlling pandemics since the Ebola epidemic. I got
[01:10:10.130 --> 01:10:15.830]  pulled into that by a complete, by almost by accident. I was at a conference, Ted Med that
[01:10:16.510 --> 01:10:20.670]  looked at, looking at all kinds of medical topics, but just a few days before that,
[01:10:20.670 --> 01:10:27.870]  the Ebola crisis was, was escalating. And the CDC director had a press conference saying this is the,
[01:10:27.870 --> 01:10:33.370]  at that time it was Tom Frieden saying this is the worst epidemic of his career since the AIDS
[01:10:33.370 --> 01:10:38.730]  epidemic. And then, so it was like, oh wow, if the CDC doesn't have things under control,
[01:10:38.730 --> 01:10:44.330]  then things must be pretty bad. So although we were, you know, we're having drinks at the city
[01:10:44.330 --> 01:10:49.690]  hall in San Francisco for the, at the conference, it was very hard to relax because we were thinking
[01:10:49.690 --> 01:10:53.470]  about, well, what was happening with Ebola as the whole rest of the world was worried about. So
[01:10:53.470 --> 01:10:59.870]  I happened to meet my, a gentleman who became my coauthor. He was a Harvard public health school
[01:10:59.870 --> 01:11:06.070]  professor. And it turns out I just was, I just happened to randomly meet him there and started,
[01:11:06.070 --> 01:11:12.590]  he told me he had a lot of experience with Ebola in, sorry, with health, public health in West
[01:11:12.590 --> 01:11:17.350]  Africa and East Africa and India and a whole bunch of places. So I said, wow, so you must know all
[01:11:17.350 --> 01:11:22.590]  about what's going on there. And so I just asked him questions and we just kept talking and kept
[01:11:22.590 --> 01:11:27.730]  in touch. And then realizing that there may be some ways to solve this problem in a, you know,
[01:11:27.730 --> 01:11:32.470]  kind of a cool headed way, as opposed to all the panic that was being, if you look at the
[01:11:32.470 --> 01:11:37.170]  literature at the time, there were people who were openly panicking and it was kind of a strange
[01:11:37.170 --> 01:11:42.230]  time. And so, so we said, we wrote some things down on paper, just started emailing a bunch of
[01:11:42.230 --> 01:11:46.670]  people and saying, Hey, could you try this and do that? And, you know, and ultimately about a
[01:11:46.670 --> 01:11:54.570]  month later, that paper, that, that, that got written into a sort of article format and we
[01:11:54.570 --> 01:12:00.270]  submitted it and it got published in the Lancet. And then the president of Guinea saw that and
[01:12:00.270 --> 01:12:06.690]  invited my coauthor to, to come advise him on how to, how to control Ebola in his country. And
[01:12:06.690 --> 01:12:12.250]  he was supposed to be there for two weeks. He ended up there for, for six months unexpectedly.
[01:12:12.250 --> 01:12:16.290]  And I was there on the phone with him almost every day, just we're working through the details of how
[01:12:16.290 --> 01:12:22.750]  you create a national Ebola response. So that's how I got plunged into this pandemics field just
[01:12:22.750 --> 01:12:32.350]  by completely a bunch of random events. So now we're in COVID. Yeah. And you have the experience
[01:12:32.350 --> 01:12:40.750]  with Ebola. So how is that medical data being, being taken in? How is it being allocated?
[01:12:41.470 --> 01:12:49.190]  Okay. So that's great. So the data is, is not, it's still not where it needs to be. And I think
[01:12:49.190 --> 01:12:53.950]  there's a lot of, as we know, there's, there's these big problems with the CDC and the federal
[01:12:53.950 --> 01:12:59.130]  government trying to gather the data from all over the country. And our testing is far behind what it
[01:12:59.130 --> 01:13:04.430]  needs to be. But we're probably seeing a very small percentage of the cases that are actually
[01:13:04.830 --> 01:13:10.010]  people are having. This is, this is a disease that has asymptomatic infection as well as
[01:13:10.010 --> 01:13:17.210]  pre-symptomatic spread. So we're basically only seeing a fraction of the, of the picture.
[01:13:17.690 --> 01:13:24.670]  And this, this is a reflected way. We know this is that if you so in other words, I think the
[01:13:24.670 --> 01:13:29.510]  data that we have is only a small fraction of what really is out there. And I think that's
[01:13:29.510 --> 01:13:35.050]  the point I'm trying to make is that we, whatever data we have is, is a tiny, tiny, you know
[01:13:35.770 --> 01:13:40.650]  reflection of the, of the ocean. So how is the data that we have
[01:13:40.650 --> 01:13:47.270]  going to influence COVID care? And then beyond that, once we get past COVID,
[01:13:47.270 --> 01:13:51.430]  how is this data going to influence change within healthcare as a whole?
[01:13:52.510 --> 01:13:57.050]  This data is already influencing, I think, in a very big way. I think, for example, you know,
[01:13:57.050 --> 01:14:01.510]  the like take the state of California there, the there's a, there's a metric called a positivity
[01:14:01.510 --> 01:14:06.210]  rate, which is the percentage of tests that get returned that are tested positive. So if you do
[01:14:06.290 --> 01:14:12.130]  a hundred tests, how many come back positive? On average, it's 7% in the state of California,
[01:14:12.130 --> 01:14:20.470]  but in parts of the state, it's actually 12 or 20% close to 10, 14, 17, 20%. Like that's in
[01:14:20.470 --> 01:14:25.710]  central California right now. Whereas in the, in the San Francisco Bay area, it's closer to two to
[01:14:25.710 --> 01:14:30.570]  4%. So the average is not really reflecting the whole state. It's, it's really highly variable.
[01:14:30.570 --> 01:14:35.410]  So that people are using that data, that percentage to allocate resources. So the governor
[01:14:35.410 --> 01:14:42.510]  allocated $52 million of extra effort, you know, to do contact tracing and a whole bunch of things
[01:14:42.510 --> 01:14:48.590]  for central California based on that data, based on that positivity rate. So that's one way in which
[01:14:48.590 --> 01:14:54.750]  the data is really important. It gives us insight into where the problems are. So
[01:14:57.310 --> 01:15:02.770]  actually, I want to do current state versus future state. So current state with COVID,
[01:15:02.770 --> 01:15:11.090]  how is that data influencing changes in healthcare? And for future state of healthcare,
[01:15:11.090 --> 01:15:17.170]  what are we learning that we need to start changing in how hospitals operate, how patient
[01:15:17.170 --> 01:15:24.730]  care is done? Learning a lot. I think there's a probably a number of different topics that
[01:15:24.730 --> 01:15:30.890]  we could talk about in that area. So I could just pick one maybe. And, you know, I think one is,
[01:15:31.410 --> 01:15:37.290]  the other thing about this is that it's so fast. I mean, this is happening like at light speed,
[01:15:37.690 --> 01:15:43.150]  faster than anybody can even keep up with. So that's the other part about this. The data,
[01:15:43.150 --> 01:15:47.190]  there's obviously a lot of clinical data in terms of treatment of patients that people are learning
[01:15:47.190 --> 01:15:53.190]  about treatments on real time, which works, which doesn't. And there's a really, I think one of the
[01:15:53.190 --> 01:15:58.450]  examples that people point to is there's by the UK National Health Service, where they conducted a
[01:15:58.450 --> 01:16:05.870]  whole bunch of, they constructed a clinical trial for a large number of drugs, and they came up with
[01:16:06.670 --> 01:16:15.370]  dextromethazone as one that has effectiveness for treating COVID patients. And so that's an example
[01:16:15.370 --> 01:16:19.730]  how by properly constructing the trial, they can draw accurate conclusions and come up with
[01:16:19.730 --> 01:16:30.010]  solutions. So from all the information, I think you've been involved in the data couriership
[01:16:30.570 --> 01:16:36.470]  of COVID since it started, is that correct? The data what? The data couriership and gathering
[01:16:36.470 --> 01:16:41.330]  since the beginning of this, since the beginning of COVID? Yeah, that's so much the data and more
[01:16:41.330 --> 01:16:49.910]  the epidemic modeling. Yeah, modeling of how you can control the epidemic. Oh, perfect. Perfect
[01:16:49.910 --> 01:16:54.290]  segue, because that was the next question. So what is the data showing you on how to control this?
[01:16:54.770 --> 01:17:00.290]  What should the American society understand about how the data should influence how we're going to
[01:17:00.290 --> 01:17:07.310]  control this? Okay, great question. I think one of the things that we can do, so the testing is
[01:17:07.310 --> 01:17:12.310]  something that we have tried to do, and we are doing and continuing to improve at some rate,
[01:17:12.310 --> 01:17:17.310]  and it's now in full swing, and people are trying to increase testing all over the country and
[01:17:17.310 --> 01:17:23.950]  make it better, cheaper, faster, which is all good. It's certainly not been enough. And so
[01:17:23.950 --> 01:17:27.910]  that doesn't mean that, you know, we want to stop testing, we want to keep going.
[01:17:28.130 --> 01:17:32.850]  And that will help us find cases and reduce the burden, but we need something else
[01:17:32.850 --> 01:17:37.990]  to control the spread and combination. And I think we talked about this on our
[01:17:39.330 --> 01:17:46.750]  podcast about how combining it with masks or social protections of some kind will,
[01:17:46.750 --> 01:17:51.590]  and that could include social distancing or anything, would be able to bring the transition
[01:17:51.590 --> 01:18:01.050]  rate below one, the R0 below one, in order to stop the spread of the epidemic. And since we
[01:18:01.050 --> 01:18:07.830]  talked at a time, one thing that's become clear is that people are finding that the virus
[01:18:07.830 --> 01:18:15.230]  transmits not only through droplets, which are greater than five microns in size, but also in
[01:18:15.230 --> 01:18:21.090]  aerosols, which are smaller, less than five microns, even less than one micron. And the
[01:18:21.090 --> 01:18:27.270]  properties of these droplets are that they pass right through the cloth or cotton masks that
[01:18:27.270 --> 01:18:32.750]  people are wearing. So although the cotton masks will filter a certain percentage of the
[01:18:33.790 --> 01:18:40.530]  virus that's exhaled by the breath or incoming in the environment, these aerosols linger for
[01:18:40.530 --> 01:18:45.230]  many hours and they can pass right through this cloth. And so we're only getting partial
[01:18:45.230 --> 01:18:50.190]  protection. And so one of the things we can do, we discovered, I think this has all happened
[01:18:50.190 --> 01:18:58.110]  the last 30, 40 days, is that using... it's kind of like these cloth masks are like socks,
[01:18:58.110 --> 01:19:02.990]  and we need shoes. We need something that's going to be much better if we want to keep
[01:19:02.990 --> 01:19:08.690]  walking in the streets. And so the one example of that is, of course, in healthcare settings,
[01:19:08.690 --> 01:19:15.630]  people use N95 masks. And these N95 masks are designed to stop the aerosols, to give the shoes
[01:19:15.630 --> 01:19:21.430]  of the industry, except that they've been reserved for healthcare workers because they need them.
[01:19:21.450 --> 01:19:26.950]  But the problem is that the more the virus spreads in the community, the more cases they're going to
[01:19:26.950 --> 01:19:32.750]  be showing up at the hospital. So you're actually not really solving any problem by more and more
[01:19:32.750 --> 01:19:35.790]  people getting infected, more and more people showing up at the hospital, and even more people
[01:19:35.790 --> 01:19:40.870]  dying. So there are actually industrial masks that are not used by the hospital system. This
[01:19:40.870 --> 01:19:48.390]  is an example. This is one example. It's a NIOSH-approved N95 mask, and it could be used
[01:19:48.390 --> 01:19:53.410]  by essential workers or healthcare workers... I'm sorry, non-healthcare workers to protect
[01:19:53.410 --> 01:19:58.270]  themselves. And because these people who are exposed on a daily basis to the public and to
[01:19:58.270 --> 01:20:03.490]  other workers that are keeping the economy running, they are actually... they're finding
[01:20:03.490 --> 01:20:07.970]  that those are the people ending up in the hospital. And so, you know, people staying at
[01:20:07.970 --> 01:20:14.410]  home who can isolate, they're much less likely to get the virus than the people who are obviously
[01:20:14.410 --> 01:20:20.830]  exposed. And that obviously makes logical sense. So these types of masks. Another mask is this
[01:20:20.830 --> 01:20:34.790]  mask here. It's from Canada. It has an N95 filter in it. And it has... let me get the other one that
[01:20:34.790 --> 01:20:43.390]  I have here. This is a little bit more very industrial looking, but it's a Lastomeric mask.
[01:20:43.390 --> 01:20:48.950]  You put it on like this and strap it around. And these are N95 filters. But the point... the thing
[01:20:48.950 --> 01:20:54.550]  is, these are just like a seat belt. They're dummy-proof. They're very easy to use. They
[01:20:54.550 --> 01:20:59.490]  don't require this big, you know, careful fitting and healthcare training and all that.
[01:20:59.510 --> 01:21:04.410]  They're stretchy. And the word Lastomeric means stretchy. So that's what we can do is by wearing
[01:21:04.410 --> 01:21:10.670]  these kinds of off-the-shelf pre-approved masks and putting them in the hands of essential
[01:21:10.670 --> 01:21:18.970]  workers, I think we can make a big difference. So last question. What's your call to arms
[01:21:18.970 --> 01:21:25.390]  from the security research community, from healthcare, from the American population?
[01:21:26.370 --> 01:21:32.490]  I call to arms. I think right now... I think I already sort of discussed a little bit more.
[01:21:32.490 --> 01:21:37.050]  I think essential workers need these masks, these N95-capable masks. Without that...
[01:21:38.490 --> 01:21:43.090]  until this... I think that's really the number one thing we need to get done right now,
[01:21:43.090 --> 01:21:49.050]  is put them... protect the essential workers so that they don't spread the disease and get sick
[01:21:49.050 --> 01:21:55.930]  and bring it home to their families. And I think that would be the number one thing that would...
[01:21:55.930 --> 01:22:02.070]  Thank you, Sri, from patientknowhow.com. So go check that out for more information on everything
[01:22:02.070 --> 01:22:07.890]  that he's just talked about. Thank you so much. Thank you. So for everyone that doesn't know,
[01:22:08.830 --> 01:22:16.250]  this is Josh, our recording producer for this year's virtual conference,
[01:22:16.250 --> 01:22:22.570]  and he literally just got told that he is the next interview for this keynote. So let's all
[01:22:22.570 --> 01:22:33.130]  welcome Josh. And just to be clear, he does not work in the cybers, but the reason I wanted you
[01:22:33.130 --> 01:22:42.130]  here is literally that reason. You've recorded... I think there's one more talk left. You've recorded
[01:22:42.130 --> 01:22:51.070]  95% of the talks that we've had so far. How's your brain? It is really full because I did not
[01:22:51.070 --> 01:22:57.570]  have any understanding of this field before, and I just watched like 20, I think 28 lectures or
[01:22:57.570 --> 01:23:02.210]  seminars or whatever we call them. And I'm just the type of personality that if I'm watching
[01:23:02.210 --> 01:23:06.690]  something, I'm really paying attention to it and trying to figure it out. So it's kind of bursting
[01:23:06.690 --> 01:23:15.850]  at the moment. So from all the talks you've heard, where in life are your concerns for healthcare?
[01:23:16.470 --> 01:23:24.650]  Well, the massive lack of any type of cybersecurity at many HDOs is pretty bad. Personally, I'm going
[01:23:24.650 --> 01:23:29.910]  to be working at a small mental health clinic in a few weeks, and I'm sure that I'll be asking them
[01:23:29.990 --> 01:23:35.010]  a lot of questions about what their cybersecurity is, especially since we're delivering all of our
[01:23:35.010 --> 01:23:42.710]  services over telehealth. So what are the concerns for that? But I also really enjoyed Yusuf's talk
[01:23:42.710 --> 01:23:48.710]  about representation in medical studies, and I think that's super important in research,
[01:23:48.710 --> 01:23:53.630]  coming from, again, studying social work. So coming from that background,
[01:23:53.630 --> 01:23:56.470]  that's also really important now, especially now when we see such
[01:23:59.490 --> 01:24:02.730]  dramatic demographic distribution of COVID cases.
[01:24:05.850 --> 01:24:11.670]  What are your takeaways? What should we be working on as a security community?
[01:24:12.290 --> 01:24:16.850]  What's your greatest concern that you think we should get to straight away?
[01:24:16.850 --> 01:24:23.170]  Well, I thought Sri's takeaway on getting masks to essential workers seems like the most urgent
[01:24:23.170 --> 01:24:29.450]  takeaway from any of the talks now, just because that specifically saves lives. But I don't think
[01:24:29.450 --> 01:24:32.090]  that's really cybersecurity, so I don't know if that really answers it.
[01:24:32.170 --> 01:24:39.690]  It's part of the maker space, part of it. So then if we're going to go back into the security side,
[01:24:39.690 --> 01:24:46.750]  being that you've heard 28 intense talks, and I'm not sorry for that,
[01:24:47.510 --> 01:24:55.290]  and you're going to go into social work, and you have an understanding, you very likely have a
[01:24:55.290 --> 01:25:01.990]  better understanding of how healthcare works now and the security around it, more so than
[01:25:01.990 --> 01:25:06.810]  a lot of other patients out there. As a patient, as someone going into the hospital,
[01:25:07.710 --> 01:25:15.550]  what's your takeaway? What's your greatest need now as a patient walking in?
[01:25:15.550 --> 01:25:19.970]  Well, I've never liked to go to the hospital, and I sure don't now. But if I did,
[01:25:19.970 --> 01:25:26.430]  I think I would just make sure that either myself or a companion who was with me double-checked
[01:25:26.430 --> 01:25:33.090]  that whoever was treating me or administering medication or other treatments has my correct
[01:25:33.090 --> 01:25:37.350]  record and that the information is correct, that my blood type is correct, things like that. I
[01:25:37.350 --> 01:25:42.290]  would just double-check things, which I always cross-examine a doctor when I talk to them anyway.
[01:25:42.310 --> 01:25:47.050]  And I think that being an informed patient is really important. So I think that the potential
[01:25:47.610 --> 01:25:52.010]  for accidental mishaps is probably the thing that would concern me the most.
[01:25:54.590 --> 01:26:01.590]  How do you think our community can engage more? You know what? Not even our community. How can
[01:26:01.590 --> 01:26:07.710]  your community engage more? What's my community? What is your community? My community right now is
[01:26:07.710 --> 01:26:14.830]  my son, my wife, and my dog and me. Okay, so how can your community engage more in the healthcare
[01:26:15.870 --> 01:26:22.970]  security side of the house? Wow, I'm not sure I have an answer to that. Okay. I mean, I'll be
[01:26:22.970 --> 01:26:27.130]  talking to people at the clinic and so forth and people that I, you know, study with in Social Work
[01:26:27.130 --> 01:26:33.570]  school and professors for all my classes moving forward now for the next couple years because I
[01:26:33.570 --> 01:26:39.330]  have attended this conference as the video producer. So I think it would probably be in the
[01:26:39.330 --> 01:26:44.730]  form of conversations with people, you know, in the Social Work field from my perspective.
[01:26:46.350 --> 01:26:53.390]  What questions do you have for the security folks, the biohackers? I think I did have a question.
[01:27:00.250 --> 01:27:05.530]  Societal change. I mean, changing social policy. One thing I do know from studies and from just a
[01:27:05.530 --> 01:27:10.530]  career in journalism is that changing social policy in the United States, even when we're at a
[01:27:10.530 --> 01:27:18.590]  World War II level event like we're having right now with the coronavirus, is still tremendously slow.
[01:27:18.590 --> 01:27:23.270]  I think that, and this kind of goes back to the other question about outreach, I think that maybe
[01:27:23.270 --> 01:27:27.690]  people in the community need to be doing more outreach through people that they know, whether
[01:27:27.690 --> 01:27:34.450]  it's on, you know, probably on social media, just to sort of raise questions and try to stimulate
[01:27:34.450 --> 01:27:40.430]  some dialogue about what people should be, what regular people should be prioritizing in this
[01:27:40.430 --> 01:27:44.070]  situation. And, you know, I mean, it's going to come down to who people vote for in November,
[01:27:44.070 --> 01:27:47.790]  but it's also, it also comes down to like, how are you going to spend your time online on social
[01:27:47.790 --> 01:27:54.470]  media? You know, whether it's, are you going to be sharing memes or maybe having a substantial
[01:27:54.470 --> 01:27:59.350]  conversation with somebody in the community who might actually have some suggestions for how to
[01:27:59.350 --> 01:28:05.930]  improve the situation. I know a few people, just by virtue of living where I do, it's a very IT
[01:28:05.930 --> 01:28:11.490]  heavy, you know, neighborhood. And we have people who've been building respirators in their, or
[01:28:11.490 --> 01:28:15.870]  ventilators in their rooms, or designing software for it, or, you know, building masks and things
[01:28:15.870 --> 01:28:20.170]  like that. So I think that kind of community outreach is really important. I think that,
[01:28:20.170 --> 01:28:24.450]  you know, that is maybe the type of thing we should be using social media more for these
[01:28:24.450 --> 01:28:30.430]  days than spreading bad information. So I wanted to make sure people knew who you were,
[01:28:30.430 --> 01:28:34.670]  because thank you so much for being part of The Village this year. There's so many people
[01:28:34.670 --> 01:28:40.550]  that are involved that don't get the accolades that they need. So thank you everyone that I
[01:28:40.550 --> 01:28:46.130]  interviewed. Thank you for trusting me enough to come in cold. I want to thank the organizers
[01:28:46.770 --> 01:28:56.850]  for this year. It was, it was a work of love. And thank you to Beau, Sidney, Andrea, Bill,
[01:28:56.850 --> 01:29:02.030]  Najla, the volunteers, the sponsors, the device folks that are working with us.
[01:29:02.030 --> 01:29:06.850]  We appreciate you attendees so much. Watch this space. Enjoy the show.
